Make the net ansible section never run and add appropriate warnings

ansible/cluster_nodes.yml

@@ -1,24 +1,31 @@
 ---
  
 - hosts: cluster_nodes
-  #serial: 1
   roles:
     - role: common
       tags: base
-
     - role: users
       tags: account
 
-# UNSAFE
+# UNSAFE!! This section is disabled by default, to run it the flags -t net should be added
-#    - role: network
+# to the ansible playbook command line.
-#      tags: net
+# Reason: when rules.{v4,v6} are changed, the whole iptables configuration is reloaded.
+# This creates issues with Docker, which injects its own configuration in iptables when it starts.
+# In practice, most (all?) containers will break if rules.{v4,v6} are changed,
+# and docker will have to be restared.
+- hosts: cluster_nodes
+  roles:
+   - role: network
+     tags: [ net, never ]
 
+- hosts: cluster_nodes
+  serial: 1
+  roles:
     - role: consul
       tags: kv
-
     - role: nomad
       tags: orchestrator
 
-# UNSAFE
+# UNSAFE!! This section configures glusterfs. Once done, don't run it ever again as it may break stuff.
 #   - role: storage
 #      tags: sto

ansible/roles/network/files/rules.v6

@@ -1,3 +1,9 @@
+# WARNING!! When rules.{v4,v6} are changed, the whole iptables configuration is reloaded.
+# This creates issues with Docker, which injects its own configuration in iptables when it starts.
+# In practice, most (all?) containers will break if rules.{v4,v6} are changed,
+# and docker will have to be restared.
+
+
 *filter
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]

ansible/roles/network/templates/rules.v4.j2

@@ -1,3 +1,8 @@
+# WARNING!! When rules.{v4,v6} are changed, the whole iptables configuration is reloaded.
+# This creates issues with Docker, which injects its own configuration in iptables when it starts.
+# In practice, most (all?) containers will break if rules.{v4,v6} are changed,
+# and docker will have to be restared.
+
 
 *filter
 :INPUT DROP [0:0]